question

51892182 avatar image
0 Votes"
51892182 asked 51892182 commented

if ent CA renew with new key, does client can chain up previous issued cert with new ent CA cert?

I checked that saying existing cert will has no impact until its expire, but I need more information about the details,
and I wish to know the mechanism,
1. does client can chain up previous issued cert with new ent CA cert? if chain by AKID to SKID, but the new renewed CA public key changed , that can not verify signature anymore.
2. that means previous issued cert will not valid if previous Ent CA cert expired, because it can not chain up with new Ent CA cert
thank you

windows-10-securitywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crypt32 avatar image
0 Votes"
Crypt32 answered 51892182 commented

does client can chain up previous issued cert with new ent CA cert?

no, it can't. When you renew CA with new key pair, only one chain is possible.

that means previous issued cert will not valid if previous Ent CA cert expired, because it can not chain up with new Ent CA cert

that's correct. But since CA NEVER issue certificate with validity that is outside of its own (CA) certificate validity, then it is granted that any certificate signed by expired CA certificate are naturally expired. It can be extrapolated to a rule: any certificate in chain will naturally expire before expires its issuer. Intermediate CA, for example, will be naturally expired before expires root CA. And this rule applies to any element in chain regardless of its length.

And this not always is the case when CA renewed using existing key pair (reuse keys). This allows a possibility to have different chains with different weights and special algorithm must be used to select a single chain among all available. And these algorithms sometimes fail: they choose expired chains instead of valid one because of weights differences. This is why I never recommend to renew CA with existing key pair. This opens a possibility of ambiguity which is not always resolved properly. By generating new key pair you get only single chain, which is perfectly predictable and does not open ambiguity.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Crypt32
96593-image.png



this surprise me, does it mean if there are 1 expired root cert, and 1 its same key renewed cert, windows 10 still possible to select the expired one? it seems stupid algor
if 1 not expire root cert, and 1 its same key renewed cert, even win 10 select either 1 of them should still be OK?

0 Votes 0 ·
image.png (12.5 KiB)

this surprise me, does it mean if there are 1 expired root cert, and 1 its same key renewed cert, windows 10 still possible to select the expired one?

yes. No system is perfect.

it seems stupid algor

please avoid such blatant statements.

if 1 not expire root cert, and 1 its same key renewed cert, even win 10 select either 1 of them should still be OK?

until older expires. Then you may start to see problems.



0 Votes 0 ·

thank you for the advice

0 Votes 0 ·